From all I have searched, there are some specific solutions depending on the container, but it is somehow 'contrary to the specification'. I have also looked through Java EE specification without any luck on finding an answer.

Some developers talk about coupling between web applications, but I tend to disagree. What is the reason one would keep WARs inside the same EAR if not coupling? EJBs, for instance, can be accessed locally (even if inside another EJB JAR within the same EAR).

More specifically, one of my WARs handles authentication and authorization, and I would like to share this information with other WARs (in the same EAR). I have managed to work around similar problems before by packaging WARs as JARs and putting them into a singular WAR project (WEB-INF/lib). Yet I do not like this solution (it requires a huge effort on servlet naming and so on).

And no solution has answered the first (and most important) question: Why can't WARs share session information?

Not sure why this was downvoted, other than it might be a better fit for SO.
–
NateDSaintDec 4 '12 at 21:29

1

"In accordance with the servlet 2.3 API specification, the session manager supports session scoping by Web module only. Only servlets in the same Web module can access the data associated with a particular session." This can be seen again in HttpSession - "Session information is scoped only to the current web application (ServletContext), so information stored in one context will not be directly visible in another." - Doing so is contrary to the specification.
–
MichaelTDec 4 '12 at 22:00

4 Answers
4

An EAR is simply a collection of WAR files that share common configuration and libraries, usually from JARs. This enables a collection of inter-dependent services to be managed more easily within an application container. Thus you can think of an EAR as a simple form of virtual machine once it is deployed into its container.

In the same way that one process on a virtual machine cannot affect another, the same is true for an EAR. All the WARs are isolated to protect their internal state.

Scaling authentication

In general web applications need to be stateless to scale well. Having a lot of information in the session is an anti-pattern that prevents this. This leads to a conflict between the stateless nature of HTTP and the need to maintain a speedy, customised user experience. Authentication is a classic use case, and is prevalent in chatty APIs that require a lot of authenticated requests to deliver end-user functionality.

Single Sign On and Single Sign Off need careful signalling to work correctly (consider partial Sign Off), particularly when horizontal scaling is in place. Simply sharing session state is almost never a good solution and a better approach is to use a single point of reference for the user information that all nodes in the cluster have access to.

Thanks, @GaryRowe. This is the answer I was looking for. Anyway, could not that be for the developer to decide?
–
rvcoutinhoDec 5 '12 at 12:46

Another question: Would you think JBoss Cache might be a good solution? Have you heard of Apache Shiro (and its session clustering)? What about it?
–
rvcoutinhoDec 5 '12 at 12:48

@rvcoutinho Does the application developer decide how processes are managed in the Linux kernel? It's a similar framing of a question - yes, you could do it but it's going to be extremely hard and probably cause you more pain than taking the alternative path.
–
Gary RoweDec 6 '12 at 9:57

2

@rvcoutinho I've not used Apache Shiro (aka Apache Security) but I imagine that it would be a good solution to the shared security issue. Definitely consider integrating with OpenID and OAuth2 rather than rolling your own protocol to achieve the same thing. JBoss Cache is by their own admission in a dead end being replaced with Infinispan which looks rather complex. You might want to take a look at the Twelve-Factor App site for a glimpse of a simpler more scalable solution.
–
Gary RoweDec 6 '12 at 10:05

Well, AFAIKS, there's no real reason why you'd like to do this. A WAR is a self contained web application, with it's own (web application specific) scopes (like session scope).
If you need to share functionality (Java code, JSP pages, CSS files), between multiple WARs you have the far more sensible option of packaging them as JAR files and deploying them in your application server.
A WAR package is a more complex packaging solution, and one designed to encapsulate something different than simple "common code/functionality". The JAR is a simpler format AND is designed for packaging and sharing code and functionality. Why would you want to use a more complex and not-specificaly-designed-for-that packaging to share something, when you have have a simpler and more-suited-to-that package format already available.
Think of JSTL Tags, Struts JQuery Plugin, Spring security, they all come as JARs.

I agree with you. But only when it comes just to general resources. But, for a single sign-on application, I would need to share session specific information (about the logged user). And I see no reason why this would be against the spec.
–
rvcoutinhoDec 4 '12 at 23:59

2

Because session scope is not made to share current user data between different applications. And because SSO implies more than inspecting session scope attributes. You can make and package code outside your war (and which would not depend upon your war, but rather have the war depend on it) that would access session scope attributes if you wanted (like a filter), but the better solution IMHO would be to have a separate facade application or server configuration that deals with auth, and grants access to other (war deployed) applications.
–
Shivan DragonDec 5 '12 at 0:33

I would again agree with you. Yet the JavaEE specification (using JAAS) holds the user information as part of the HttpSession, which is opposed to this approach. One of the reasons I have been considering to use Shiro (it maintains an orthogonal session) instead.
–
rvcoutinhoDec 5 '12 at 2:31

Anyway, thanks for the response. I still do not have a definitive answer for my question, but all you have said is relevant. +1
–
rvcoutinhoDec 5 '12 at 2:35

I think this was done on purpose, to avoid different web apps accidentally overwriting each others session information. It might come handy in your case, but in general, you don't want users to make the app crash or escalate their privileges just because they use two web apps at the same time. It's not exactly difficult to explicitely share information between web apps; just make a class with a static HashMap, use GUIDs as keys and transfer them as part of the URL or HTTP parameter.

Thanks. Actually, I was not talking about sharing the whole session between every application, but specific session information (as user info) when needed. Maybe I was not clear. Any suggestions on making it clearer?
–
rvcoutinhoDec 5 '12 at 12:33